CN103560888B - Digital certificate-based unified authentication login method for integrating multiple application systems - Google Patents
Digital certificate-based unified authentication login method for integrating multiple application systems Download PDFInfo
- Publication number
- CN103560888B CN103560888B CN201310542169.5A CN201310542169A CN103560888B CN 103560888 B CN103560888 B CN 103560888B CN 201310542169 A CN201310542169 A CN 201310542169A CN 103560888 B CN103560888 B CN 103560888B
- Authority
- CN
- China
- Prior art keywords
- user
- application system
- digital certificate
- information application
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a digital certificate-based unified authentication login method for integrating multiple application systems. A legal digital certificate signed and issued for a user, an authentication method of the digital certificate replaces an original authentication method of a user name and a password; a unified authentication platform is established, and unified certification service is provided for all the information application systems; the information application systems have access to the platform, login authentication and authorization are performed, and unified authentication login is completed. When the method is used, safety of the information application systems is improved, losses caused by early leak of the user name and the password are reduced, and signature of the digital certificate guarantees traceability of operation in the information application systems; due to the fact that the unified authentication platform is established, user information resources can be shared in a concentrated mode and are convenient to manage and maintain; on the basis of the OAuth2.0 protocol, an open interface is provided, and therefore new application information systems can have access to the platform more easily; the unified authentication login and single-point login function is provided, operation of the user is facilitated, and working efficiency is improved.
Description
Technical field
The present invention is generally used for Public Key Infrastructure system(PKI)Field, be integrated one or more based on number
The application system of word certificate realizes unified certification login, single-sign-on provides a kind of the more efficient of lightweight, safely and efficiently side
Formula.
Background technology
X509 is the international standard recommended by ITU-T, X.509 defines widely accepted PKI base
Plinth, the process that it is included data form and is distributed public key by the digital certificate signed and issued by certificate agency.
X509 digital certificate refers to sign and issue, by trustworthy certificates, the number that tissue is signed to particular public key data information
According to.
It is known that the development of each technology and application all can experience a process, the development of informationization technology is also
So.During technical development of computer and application, many large enterprises, company, public institution, government department all can be first
Constantly to solve or to meet business, the demand of operation aspect afterwards using substantial amounts of information application system.Due to historic reason, this
A little information application systems are all often each self-dispersing, independent operation, and business and authority are not intersected to each other, if it is desired that with not
With information application system business it is necessary to log in different information application systems.Therefore, through informationization after a while
Afterwards, these large enterprises, company, public institution, government department all can face cannot be to existing substantial amounts of information application system
The problem carrying out unifying to manage concentratedly, records the account of each information application system and password ability brings not to system user
Few trouble.With the raising of safety consciousness, increasing user also recognizes that account and this certification mode of password are easy
It is cracked, and dangerous.
OAuth1.0 finishes in IETF, and numbering is RFC5849.This also indicates that OAuth formally becomes
Internet standard protocol.OAuth(Open mandate)It is an open standard it is allowed to user allows third-party application access this user exists
The resource of the secret of storage on a certain website(As photo, video, contacts list), and username and password need not be supplied to
Third-party application.The draft that OAuth2.0 enters on already and sets up.OAuth2.0 is likely to that follow-on " user tests
Card and mandate " standard.Baidu's open platform now, the most open platform such as Tengxun's open platform is all to use
OAuth2.0 agreement is as support.
The shortcoming of prior art:There are some technological means can improve to a certain extent now or part has solved
The integrated original dispersion of urgent need and independent Information application letter that many large enterprises, company, public institution, government department are faced
A difficult problem for breath, but there is following Railway Project in these technological means:
First, existing Single Sign-On Technology Used, main purpose is that solving user in multiple application systems just only need to log in once
The problem of the application system of all mutual trusts can be accessed, but its limitation is also apparent from:I.e. application scenarios are suitable for mostly
In user authentication information be the user name and password mode, for application system need using digital certificate log in, often
Do not support.
2nd, very big safety problem is had based on the mode of the user name and password.In recent years, the Internet have occurred that many
Play the accident that system user name and password information are revealed, particularly nearest ends of the earth account reveals event and CSDN account reveals thing
Part, exposes the simply dangerous of this authentication mode again.From technological means, this mode of the user name and password, very
Easily it is cracked or steals, and the true identity of user cannot be reviewed, more cannot be carried out responsibility positioning and investigate.
3rd, existing scheme often adopts the centralized management to authority, is but with the good autgmentability of sacrificial system as cost.
So, when enterprise, company, public institution, government department need integrated more external information application system, need again
Change existing system and outside information application system is transformed, be inconvenient.Particularly when external information application system only
When needing unified login function and requiring authority independence, existing scheme will be helpless.
Content of the invention
The purpose of the present invention:Faced integrated multiple points for many large enterprises, company, public institution, government department
The problem of scattered and independent information application system, the present invention proposes one kind and realizes integrated multiple application system system based on digital certificate
The method that one certification logs in, can effectively solve the problems, such as above-mentioned.
For achieving the above object, the technical scheme is that:One kind realizes integrated multiple application system based on digital certificate
The method that system unified certification logs in, method at least includes:
First, the authentication mode of original the user name and password is substituted using the mode of digital certificate authentication.Digital certificate
Private key is all to complete among USB Key from being generated to destruction, will not be exported or replicate, and the PIN password of protection private key is also only
Only certificate holder knows, its safety is farthest protected.
2nd, set up unification authentication platform..Unification authentication platform adopts digital certificate as user profile, is tested based on certificate
Card, provides unified certification service, single-sign-on services to each information application system and provides open interface(Open API).Often
Secondary when unification authentication platform carries out unified certification and logs in, digital certificate and the digital signature of user will be verified, checking is logical
Later normal operation flow could be entered.
3rd, information application system access, login authentication and mandate, completes unified certification and logs in.Each information application system is pressed
The OAuth2.0 protocol requirement providing according to unification authentication platform, applies for appid and appkey, and then modification application system logs in mould
Block, adds " logging in using digital certificate account " button.
User clicks on " logging in using digital certificate account " button in each information application system login page, and the page will redirect
To the login page of unification authentication platform, after user is logined successfully using digital certificate, unification authentication platform jumps to and " confirms simultaneously
Authorize " page, after being confirmed and authorized by user, this information application system accesses the authority of user profile, page jump by obtaining
To information application system, complete unified certification and log in, enter normal operation flow.
The invention has the beneficial effects as follows:The present invention substitutes traditional the user name and password using the mode of digital certificate authentication
Mode, had both improve the safety of information application system, decreases and early reveals the loss causing because of user's the user name and password, with
When due to digital certificate possess signature non-repudiation characteristic it is ensured that in information application system operation trackability, be easy to
Call to account.By setting up unification authentication platform so that sharing in user profile resource set, being easy to manage and safeguarding;It is based on
OAuth2.0 agreement, provides open interface so that accessing new information application system to become simple;Provide unified certification to step on
Record, single-sign-on function, user-friendly, improve work efficiency.
Brief description
Fig. 1 is that the information application system application of the present invention accesses unification authentication platform flow process.
Fig. 2 is the unified certification login process figure of the present invention.
Fig. 3 is the single-sign-on flow chart of the present invention.
Specific embodiment
With specific embodiment, the present invention is described in more detail below in conjunction with the accompanying drawings.
As shown in figure 1, accessing unification authentication platform flow process for the information application system application of the present invention.
First, the authentication mode of original the user name and password is substituted using the mode of digital certificate authentication.For not number
The user of word certificate, guiding user signs and issues digital certificate to legal CA mechanism application, and the user of existing digit certificate is only needed
Digital certificate is done selectivity with the user name and password in original information application system bind.
2nd, set up unification authentication platform, provide unified certification service to each information application system.Unification authentication platform is recognized
The flow process of card follows strictly OAuth2.0 agreement, provides open interface to information application system simultaneously(Open API).Unification is recognized
Card platform adopts digital certificate as user profile, every time when unification authentication platform carries out unified certification login, will verify
The digital certificate of user and digital signature, could enter normal operation flow after being verified.
Unification authentication platform is mainly accomplished by:
1) certification authentication
The certificate of every login when logging in, according to flow scheme design it is necessary to submit signature to, can test by unification authentication platform
Whether signed certificate name is legal, verifies whether this digital certificate is legal simultaneously, including checking effect duration, checking CA authority signature, checking
Certificate Revocation Lists etc..
2) unified certification service
Unification authentication platform provides unified certification service for all information application systems being linked into unification authentication platform.?
It is linked into the login page of the information application system of unification authentication platform, click on " logging in using digital certificate " button, the page is just
Unification authentication platform can be jumped to and carry out unified certification, after certification success, jump back to information application system.
3) single-sign-on, the single-sign-on flow chart of the present invention as shown in Figure 3
Unification authentication platform provides single-sign-on function clothes for all information application systems being linked into unification authentication platform
Business.As long as it is possible to switching is it is not necessary to repeatedly in the information application system having accessed after logging in unification authentication platform success
Repeat certification to log in.
4) provide open interface(Open API)
The open interface that can be provided by unification authentication platform through the information application system authorizing, obtains all of opening
Multi-functional, for example:After certificate user mandate, information application system can obtain the details of certificate user, and certificate expands
Exhibition attribute information etc..
3rd, information application system accesses, and carries out login authentication and mandate, completes unified certification and logs in.Information application system
Access, carry out login authentication and mandate, complete unified certification login and mainly include the following steps that, as shown in Fig. 2 unified certification is stepped on
Record flow chart:
1) unification authentication platform is accessed by information application system application, obtain corresponding appid and appkey, after ensureing
Correctly information application system can be verified with user in continuous identifying procedure and be authorized.
2) entrance that setting unified certification logs on information application system, that is, add " logging in using digital certificate " to press
Button.
3) user log-in authentication and mandate.User, in the logentry of information application system, is clicked on and " is stepped on using digital certificate
After record " button, the logentry of page jump to unification authentication platform, user carries out login authentication using digital certificate.Log in
After success, eject authorization page, guiding user authorizes to this information application system.
4), after the completion of logging in and authorize, jump back to information application system.If user's Successful login simultaneously authorizes, jump to
The loopback address of applied information system, this loopback address is voluntarily arranged by information application system.
5) user certificate information and certificate extension attribute information are obtained.After user's Successful login, information application system can lead to
The open interface crossing unification authentication platform sends acquisition request user certificate information and certificate extension attribute information, just to enter
Normal operation flow.
Above example is described only for the partial function of the present invention, but embodiment and accompanying drawing are not for limiting
Determine the present invention's.Without departing from the spirit and scope of the invention, any equivalence changes done or retouching, also belong to this
Bright protection domain.The content that therefore protection scope of the present invention should be defined with claims hereof is as standard.
Claims (3)
1. a kind of method that integrated multiple application system unified certification logs in is realized based on digital certificate it is characterised in that:
Step one, substitute the authentication mode of original the user name and password using the mode of digital certificate authentication;Digital certificate
Private key is all to complete among USB Key from being generated to destruction;
In step one, to the user not having digital certificate, user is guided to sign and issue digital certificate to legal CA mechanism application;To former
User's existing digit certificate of some the user name and passwords, existing digit certificate and original the user name and password are tied up
Fixed;
Step 2, set up unification authentication platform, provide unified certification service to each information application system;
In step 2, unification authentication platform adopts digital certificate as user profile, is unified in unification authentication platform every time
When certification logs in, need to verify digital certificate and the digital signature of user, normal Business Stream after being verified, could be entered
Journey;
Unification authentication platform implementation:
(1) certification authentication:The certificate of every login, when logging in, submits signature, unification authentication platform to according to flow scheme design
Whether checking signature is legal, verifies whether this digital certificate is legal simultaneously, including checking effect duration, checking CA authority signature, tests
Card Certificate Revocation Lists;
(2) unified certification service:Unification authentication platform provides system for all information application systems being linked into unification authentication platform
One authentication service, in the login page of the information application system being linked into unification authentication platform, is clicked on and " is stepped on using digital certificate
Record " button, the page will jump to unification authentication platform and carry out unified certification, after certification success, jump back to information application system;
(3) single-sign-on:Unification authentication platform provides single-point to step on for all information application systems being linked into unification authentication platform
Recording function services, as long as after logging in unification authentication platform success, you can switch in the information application system having accessed, be not required to
Certification is repeated several times log in;
(4) provide open interface:The open interface being provided by unification authentication platform through the information application system authorizing, is obtained
Open various functions, after certificate user mandate, information application system obtains the details of certificate user, certificate extension
Attribute information;
Step 3, information application system access, login authentication and mandate, complete unified certification and log in;
In step 3, the OAuth protocol requirement that each information application system provides according to unification authentication platform, application appid and
Appkey, then changes application system login module, adds " logging in using digital certificate account " button.
2. the method that integrated multiple application system unified certification login is realized based on digital certificate according to claim 1,
It is characterized in that:
In step 3, user clicks on " logging in using digital certificate account " button, the page in each information application system login page
The login page of unification authentication platform will be jumped to, after user is logined successfully using digital certificate, unification authentication platform jumps to
" confirm and authorize " page, after being confirmed and authorized by user, this information application system accesses the authority of user profile, page by obtaining
Face jumps to information application system, completes unified certification and logs in, enters normal operation flow.
3. the side realizing integrated multiple application system unified certification login based on digital certificate according to claim 1 and 2
Method it is characterised in that:
In step 3, unified certification logs in and concretely comprises the following steps:
(1) unification authentication platform is accessed by information application system application, obtain corresponding appid and appkey, follow-up to ensure
Correctly information application system can be verified with user in identifying procedure and be authorized;
(2) entrance that setting unified certification logs on information application system, adds " logging in using digital certificate " button;
(3) user log-in authentication and mandate, user, in the logentry of information application system, clicks on " logging in using digital certificate "
After button, the logentry of page jump to unification authentication platform, user carries out login authentication using digital certificate, logins successfully
Afterwards, eject authorization page, guiding user authorizes to this information application system;
(4) after the completion of logging in and authorize, jump back to information application system, if user's Successful login authorizing, jumping to should
With the loopback address of information system, this loopback address is voluntarily arranged by information application system;
(5) user certificate information and certificate extension attribute information are obtained, after user's Successful login, information application system can be by system
The open interface of one authentication platform sends acquisition request user certificate information and certificate extension attribute information, enters normal business
Flow process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310542169.5A CN103560888B (en) | 2013-11-05 | 2013-11-05 | Digital certificate-based unified authentication login method for integrating multiple application systems |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310542169.5A CN103560888B (en) | 2013-11-05 | 2013-11-05 | Digital certificate-based unified authentication login method for integrating multiple application systems |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103560888A CN103560888A (en) | 2014-02-05 |
| CN103560888B true CN103560888B (en) | 2017-02-08 |
Family
ID=50015044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310542169.5A Active CN103560888B (en) | 2013-11-05 | 2013-11-05 | Digital certificate-based unified authentication login method for integrating multiple application systems |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103560888B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103841103B (en) * | 2014-02-25 | 2017-10-17 | 华为软件技术有限公司 | A kind of apparatus and method for obtaining public authorization service |
| CN105446754A (en) * | 2014-07-09 | 2016-03-30 | 阿里巴巴集团控股有限公司 | Method and equipment for loading target application |
| CN106612246A (en) * | 2015-10-21 | 2017-05-03 | 星际空间(天津)科技发展有限公司 | Unified authentication method for simulation identity |
| CN108347411B (en) * | 2017-01-23 | 2021-09-17 | 北京京东尚科信息技术有限公司 | Unified security guarantee method, firewall system, equipment and storage medium |
| CN106982220B (en) * | 2017-04-21 | 2020-07-31 | 国信电子票据平台信息服务有限公司 | Digital certificate calling method and system |
| CN110730151A (en) * | 2018-07-16 | 2020-01-24 | 上海铠射信息科技有限公司 | Novel method for authorizing use of terminal digital certificate |
| CN110210203A (en) * | 2019-06-04 | 2019-09-06 | 武汉神算云信息科技有限责任公司 | The method for security protection of wechat small routine and API, device, equipment and storage medium |
| CN111107055B (en) * | 2019-11-22 | 2023-01-10 | 航天信息股份有限公司 | Method and system for realizing user authentication login of CA unified authentication platform |
| CN110909337B (en) * | 2019-12-02 | 2024-03-08 | 浪潮通用软件有限公司 | Beijing digital certificate authentication integration method based on GSP platform |
| CN111125676B (en) * | 2019-12-23 | 2022-06-03 | 北京百度网讯科技有限公司 | Joint authorization method and device |
| CN111447194B (en) * | 2020-03-23 | 2022-03-29 | 格尔软件股份有限公司 | Method for enhancing single sign-on security by using digital certificate |
| CN113067827B (en) * | 2021-03-25 | 2022-08-02 | 中国工商银行股份有限公司 | System unification authentication method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924634A (en) * | 2009-06-10 | 2010-12-22 | 任少华 | Verification portal |
| CN103269270A (en) * | 2013-04-25 | 2013-08-28 | 安徽杨凌科技有限公司 | Real-name authentication safe login method and system based on cell phone number |
| CN103297410A (en) * | 2012-03-05 | 2013-09-11 | 盛大计算机(上海)有限公司 | Account intercommunication system and using method thereof |
-
2013
- 2013-11-05 CN CN201310542169.5A patent/CN103560888B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924634A (en) * | 2009-06-10 | 2010-12-22 | 任少华 | Verification portal |
| CN103297410A (en) * | 2012-03-05 | 2013-09-11 | 盛大计算机(上海)有限公司 | Account intercommunication system and using method thereof |
| CN103269270A (en) * | 2013-04-25 | 2013-08-28 | 安徽杨凌科技有限公司 | Real-name authentication safe login method and system based on cell phone number |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103560888A (en) | 2014-02-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103560888B (en) | Digital certificate-based unified authentication login method for integrating multiple application systems | |
| CN105871838B (en) | A kind of log-in control method and customer center platform of third party's account | |
| US9826100B2 (en) | Usage tracking for software as a service (SaaS) applications | |
| US8875269B2 (en) | User initiated and controlled identity federation establishment and revocation mechanism | |
| US9363256B2 (en) | User authentication in separate authentication channels | |
| US20180109505A1 (en) | Authenticating mobile applications using policy files | |
| CN111314340B (en) | Authentication method and authentication platform | |
| CN107786571A (en) | A kind of method of user's unified certification | |
| WO2014048749A1 (en) | Inter-domain single sign-on | |
| WO2016173199A1 (en) | Mobile application single sign-on method and device | |
| CN105812350B (en) | Cross-platform single sign-on system | |
| CN106331003B (en) | The access method and device of application door system on a kind of cloud desktop | |
| CN104113552A (en) | Platform authorization method, platform server side, application client side and system | |
| CN106357629B (en) | Intelligent terminal identity authentication and single sign-on system and method based on digital certificate | |
| EP2774314A1 (en) | Secure machine enrollment in multi-tenant subscription environment | |
| CN104158802A (en) | Platform authorization method, platform service side, application client side and system | |
| KR101832535B1 (en) | Trustworthy device claims as a service | |
| CN103227799A (en) | Implementing method of unified user management and single sign-on platform based on multiple application systems | |
| CN109067785A (en) | Cluster authentication method, device | |
| CN116170234B (en) | Single sign-on method and system based on virtual account authentication | |
| EP2915309B1 (en) | Utilizing authentication scheme for single sign-on between servers | |
| CN107483477B (en) | Account management method and account management system | |
| CN110691089B (en) | Authentication method applied to cloud service, computer equipment and storage medium | |
| CN104283852B (en) | The single sign-on authentication method and system and client and server-side of mobile application | |
| TW201430608A (en) | Single-sign-on system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |